WILSON ELSER 

WILSON ELSER MOSKOWITI EOELMAN 8 DICKER LLP 


October 19, 2018 


Gregory J. Bautista 

914.872.7839 (direct) 
Gregory.Bautista@wilsonelser.com 


Sent Via Email 


Acting Attorney General Barbara Underwood 
New York State Attorney General’s Office 

Security Breach Notification 
Internet Bureau 
120 Broadway - 3 rd Floor 
New York, New York 10271 
breach.security@ag.ny.gov 

New York State Division of State Police 

Security Breach Notification 
New York Stale Intelligence Center 
630 Columbia Street Ext 
Latham, New York 12110 
risk@nysic.ny.gov 

New York State Department of State 
Division of Consumer Protection 

Atm: Director of the Division of Consumer Protection 

Security Breach Notification 

99 Washington Avenue, Suite 650 

Albany, New York 12231 

security_breach_notification@dos.ny.gov 

Re: Potential Data Security Incident 


Dear Acting Attorney General Underwood: 

We represent Gale & McAllister, PLLC with respect to an incident involving the potential exposure of 
certain personal information described in detail below. 

1. Nature of the possible security breach or unauthorized use or access 

On September 5, 2018, Gale & McAllister, PLLC (“Gale & McAllister”) discovered that a client received 
fraudulent wire instructions from an employee’s email account. Upon discovering this, Gale & McAllister 
immediately took steps to secure its email accounts, warned clients not to wire funds without verifying the 
instructions by telephone, and engaged computer experts to determine whether information in the 
employee’s email account was at risk. On October II, 2018, Gale & McAllister determined that an 
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unknown, unauthorized third party could have viewed documents in employees’ email accounts that 
contained clients’ names. Social Security numbers, dates of birth, driver’s license numbers or passport 
numbers. 

2. Number of New York residents potentially affected 

Approximately 2 New York residents were affected in this potential incident. Gale & McAllister sent the 
potentially impacted individuals a letter notifying them of the incident on October 19, 2018. A copy of the 
notification sent to the potentially impacted individuals is included with this letter, which informs these 
New York residents about the 12 months of credit monitoring and identity theft protection services that is 
being offered to them at no charge. 

3. Steps Gale & McAllister has taken or plans to take relating to the potential incident 

Gale & McAllister takes the privacy and security of personal information very seriously and has continued 
to take steps to secure client data. Upon learning of this issue, Gale & McAllister immediately engaged 
computer forensic experts to determine whether information in the accounts was at risk and took steps to 
prevent a similar event form occurring in the future, including increasing email account security, reviewing 
and revising its wire transfer procedures and training employees on best practices to counter the growing 
activity of cybercrime. 

4. Other notification and contact information 

If you have any questions, please contact me at Gregoiy.Bautista@wilsonelser.com or (914) 872=7839. 

Very truly yours, 
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78 Severance Green Suite 102, Colchester, VT 05446 
With additional closing offices located in Williston and Stowe 
P 802 876 7478 F 802 871 5742 

www gmlawvt coni 

October 19, 2018 

[FirstJNlame][Last_Name] 

[Street_Address] 

[City][State][Zip] 


Dear [First_Name][Last_Name]: 

We write to inform you of an incident that may have put your name, date of birth, driver’s license number 
and Social Security number at risk. We take the security of your information very seriously and sincerely 
apologize for any inconvenience this incident may cause. This letter contains information about what 
occurred and steps we can collectively take to protect your information. 

What happened and what information was involved: 

On September 5, 2018, we discovered that a client received fraudulent wire instructions from an employee’s 
email account. We immediately took steps to secure our email accounts, warned clients not to wire funds 
without verifying the instructions by telephone, and engaged computer experts to determine whether 
information in the employee’s email account was at risk. On October 11, 2018, we determined that an 
unknown, unauthorized third party could have viewed documents in employees’ email accounts that 
contained your name, dale of birth, driver’s license number and Social Security number. The unauthorized 
party’s primary motive looks to be wire interception, but we are sending this letter to provide you with 
resources and information you can use to protect yourself. 

What we are doing and what you can do: 

At this time, there is no indication that your information has been accessed or used by the unauthorized 
party; however, out of an abundance of caution, we have arranged for you to enroll in identity theft 
protection services through ID Experts®, the data breach and recovery services expert, to provide you with 
MyIDCare™. With this protection, MyIDCare will help you resolve issues if your identity is compromised. 
We strongly encourage you to register for this free identity theft protection service. To enroll please visit 
https://app.myidcare.com/account-creation/protect or call 1-800-939-4170 and provide the following 
membership enrollment code: [Enrollment Code]. 

Your 12 month MyIDCare membership will include the following: 

Complete Credit Monitoring and Recovery Services 

*□ Single Bureau Credit Monitoring - Monitors any changes reported by Experian Credit Bureau to 
your credit report. 
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• □ CyberScan Monitoring - Monitors criminal websites, chat rooms, and bulletin boards for illegal 

selling or trading of their personal information. 

• J Access to the ID Experts Team - Access to an online resource center for up-to-date information 

on new identity theft scams, tips for protection, legislative updates and other topics associated with 
maintaining the health of your identity, 

• □ Complete Recovery Services - Should you believe that you are a victim of identity theft, 

MyIDCare will work with you to assess, stop, and reverse identity theft issues. 

• □ Identity Theft Insurance - In the event of a confirmed identity theft, you may be eligible for 

reimbursement of up to $1,000,000 for expenses related to that theft. 

We sincerely regret any inconvenience or concern that this matter may have caused you. We want to assure 
you that we have taken steps to prevent a similar event from occurring, including increasing email account 
security, reviewing and revising our wire transfer procedures and training employees on best practices to 
counter the growing activity of cybercrime. 

Should you have any questions or concerns about this incident, please contact me by phone or email at 
(802) 876-7478 or scott@gmlawvt.com. 

Sincerely, 


Scott A. McAllister, Esq. 
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MyIDCare' 

Recommended Steps to help Protect your Information 

Please Note: Minors, under the age of 18, should not have a credit history established and are under 
the age to secure credit. Therefore, credit monitoring may not be applicable at this time for them. All 
other services provided in the membership will apply. No one is allowed to place a fraud alert on your 
credit report except you, please follow the instructions below to place the alert. 

1* Website and Enrollment. Go to httpsV/app.mvidcarexQm/account-creation/protect and follow the 
instructions for enrollment using your Enrollment Code provided above. Once you have completed your 
enrollment, you will receive a welcome letter by email (or by mail if you do not provide an email address 
when you sign up). The welcome letter will direct you to the MyIDCare Member Website where you will 
find other valuable educational information. 

2. Activate the credit monitoring provided as part of your MyIDCare membership. Credit and CyberScan 
Monitoring are included in the membership, but you must personally activate it for it to be effective. Note: 
You must have established credit and access to a computer and the internet to use this service. If you 
need assistance, MyIDCare will be able to assist you. 

3. Review your credit reports. We recommend that you remain vigilant by reviewing account statements 
and monitoring credit reports. Under federal law, you also are entitled every 12 months to one free copy 
of your credit report from each of the three major credit reporting companies. To obtain a free annual 
credit report, go to www.annualcreditreport.com or call 1-877-322-8228. You may wish to stagger your 
requests so that you receive a free report by one of the three credit bureaus every four months. 

If you discover any suspicious items and have enrolled in MyIDCare, notify them immediately by calling or 
by visiting their Miember website and filing a theft report. 

If you file a theft report with MyIDCare, you will be contacted by a member of our ID Care team who will 
help you determine the cause of the suspicious items. In the unlikely event that you fall victim to identity 
theft as a consequence of this incident, you will be assigned an ID Care Specialist who will work on your 
behalf to identify, stop and reverse the damage quickly. 

You should also know that you have the right to file a police report if you ever experience identity fraud. 
Please note that in order to file a crime report or incident report with law enforcement for identity theft, 
you will likely need to provide some kind of proof that you have been a victim. A police report is often 
required to dispute fraudulent items. You can report suspected incidents of identity theft to local law 
enforcement or to the Attorney General. 

4. Place Fraud Alerts with the three credit bureaus. If you choose to place a fraud alert, we recommend 
you do this after activating your credit monitoring. You can place a fraud alert at one of the three major 
credit bureaus by phone and also via Experian's or Equifax's website following the directions provided 
below. 
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Additional Important Information 


For residents of Hawaii Michigan, Missouri, Virginia, Vermont, and North Carolina ; It is recommended by state law that you remain vigilant 
for incidents of fraud and identify theft by reviewing credit card account statements and monitoring your credit report for unauthorized 
activity. 

For residents of Illinois, Iowa L Maryland, Missouri North Carolina, Oregon, and West Virginia: 

It is required by state laws to inform you that you may obtain a copy of your credit report, free of charge, whether or not you suspect 
any unauthorized activity on your account. You may obtain a free copy of your credit report from each of the three nationwide credit 
reporting agencies. To order your free credit report, please visit www.annualcreditreport.com , or call toll-free at 1-877-322-8228. You can also 
order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at 
https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.Q. Box 105281, Atlanta, GA, 30348- 
5281. 

For residents of Iowa: 

State law advises you to report any suspected identity theft to law enforcement or to the Attorney General. 

For residents of Oregon : 

State laws advise you to report any suspected identify theft to law enforcement, including the Attorney General, and the Federal Trade 
Commission. 

For residents of Maryland, Rhode Island, Illinois, and North Carolina: 

You can obtain information from the Maryland and North Carolina Offices of the Attorneys General and the Federal Trade 
Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft. 


Maryland Office of the 
Attorney General 

Consumer Protection Division 
200 St. Paul Place 
Baltimore, MD 21202 
1-888-743-0023 
www.oag.sfate.md.us 


Rhode Island Office of the Attorney 
General 

Consumer Protection 
150 South Main Street 
Providence Rl 02903 
1-401-274-4400 
www.riag.ri.gov 


North Carolina Office of the 
Attorney General 

Consumer Protection Division 
9001 Mail Service Center 
Raleigh, NC 27699-9001 
1-877-566-7226 

www.ncdoj.com 


Federal Trade Commission 

Consumer Response Center 
600 Pennsylvania Ave, NW 
Washington, DC 20580 
1-877-IDTHEFT (438-4338) 

www.ftc.gov/idtheft 


For residents of Massachusetts: It is required by state law that you are informed of your right to obtain a police report if you are a victim of identify theft 


For residents of all states: 

Fraud Alerts: You can place fraud alerts with the three credit bureaus at one of the three major credit bureaus by phone and also via Experian's or 
Equifax's website. A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change 
your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. As of September 
21, 2018, initial fraud alerts last for one year and victims of identity theft can also obtain an extended fraud alert for a total of seven years. The 
contact information for all three credit bureaus is below. 


Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity. 


Security Freeze: You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans and 
services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to 
each consumer reporting agency. You may make that request by certified mail, overnight mail, or regular stamped mail, or by following the 
instructions found at the websites listed below. The following information must be included when requesting a security freeze (note that if you are 
requesting a credit report for your spouse or a minor under the age of 16, this information must be provided for him/her as well): (1) full name, with 
middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; 
and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include 
a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be 
legible, display your name and current mailing address, and the date of issue. As of September 21, 2018, it is free to place, lift, or remove a security 
freeze. You may also place a security freeze for children under the age of 16. You may obtain a security freeze by contacting any one or more of the 
following national consumer reporting agencies: 


Equifax Security Freeze 

P.O.Box 105788 
Atlanta, GA 30348 

www freeze.eq uifax. com 

800-525-6285 


Experian Security Freeze 

P.O. Box 9554 

Allen, TX 75013 

www.experian.com/freeze 

888-397-3742 


TransUmon (FVAD) 

P.O. Box 2000 
Chester, PA 19022 
freeze .transunion.com 
800-680-7289 


More information can also be obtained by contacting the Federal Trade Commission listed above. 
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Schnitzer, Steven 


From: breach.security@ag.ny.gov 

Sent: Friday, October 19, 2018 2:36 PM 

To: Breach Security 

Subject: NYS Security Breach Notification submission/NYAG Confirmation # SB46697 

Attachments: ATT00001 .bin; Gale & McAllister - AG Notification - NY.pdf 


OFFICE OF THE ACTING ATTORNEY GENERAL BARBARA UNDERWOOD 
STATE OF NEW YORK DEPARTMENT OF LAW 



Bureau of Internet mid Technology 
28 Liberty Street 
New York, NY 10005 

Phone: (212)416-8433 | Fax: (212) 416-8369 


Consumer Hotline 
(8oo)77i-7755 
TDD (800) 788-9898 
http://www.ag.ny.gov 


Submitted on: 10/19/2018 02:35 PM 
Complaint ID: SB46697 


Entity Information 


Name: 

Street Address: 

City/Town: 

State: 

Zip: 

Organization Type: 
Organization Size: 
URL: 


Gale & McAllister, PLLC 

78 Severance Green Suite 102 

Colehester 

VT 

05446 

Other Commercial 
6 to 25 

https://www.gmlawvt.com/ 


Breach Details 


Description of Breach: 

Type of attack: 

Other Description: 

Information acquired in combination with 
name or other personal identifier: 


External systems breach 
Password/Credentials Compromised 


Personal information (date of birth, etc.); Social security 
number; Driver license number (or non-driver 
identification card number) 


Total persons affected (Including NYS 
residents): 


11 


1 





New York State residents affected: 2 

Do you believe that this security breach w as 
part of a larger breach that likely affected No 
other organizations? 

Comments: 


If the number of NYS residents exceeds 5,000, 
have the consumer reporting agencies been No 
notified? 


Breach Occurred From: 
Breach Occurred To: 
Breach Discovered: 


08/26/2018 

09/05/2018 

09/25/2018 


Other Information 


Consumer notification date: 

Manner of notification to affected 
persons: 

List dates of any previous (w ithin 12 
months) breach notifications: 

Identity theft protection service offered: 
Provider: 

Duration: 

Brief description of service: 


10/19/2018 

Written 


Yes 

ID Experts 
12 months 

ID Experts will offer credit monitoring, cyber-scan monitoring, 
recovery services and identity theft insurance. 


Submitted By 

Name: 

Title: 

Firm name: 

Telephone: 

Email: 

Relationship to entity whose information was 
compromised: 

Additional comments: 


Gregory Bautista 
Partner 

Wilson Elser Moskowitz Edelman & Dicker 
LLP 

914-872-7839 

Gregory.Bautista@wilsonelser.com 

Counsel 


2 



